caddy: Use correct HTTP status code

Flake lock file updates:

• Updated input 'disko':
    'github:nix-community/disko/d389901567d9ceda5a1a833fbf8e8e254e18eb0a' (2024-03-11)
  → 'github:nix-community/disko/fe064a639319ed61cdf12b8f6eded9523abcc498' (2024-03-11)
• Updated input 'emacs-overlay':
    'github:nix-community/emacs-overlay/65f195e937a170adac199b12eab303b8488bf38b' (2024-03-11)
  → 'github:nix-community/emacs-overlay/69e03a148e6c604aed3579d81989aabccbba4d67' (2024-03-13)
• Updated input 'emacs-overlay/nixpkgs-stable':
    'github:NixOS/nixpkgs/b94a96839afcc56de3551aa7472b8d9a3e77e05d' (2024-03-09)
  → 'github:NixOS/nixpkgs/ddcd7598b2184008c97e6c9c6a21c5f37590b8d2' (2024-03-11)
• Updated input 'home-manager':
    'github:nix-community/home-manager/36f873dfc8e2b6b89936ff3e2b74803d50447e0a' (2024-03-10)
  → 'github:nix-community/home-manager/49a266d2ca59df8a03249550e73a54626181b65d' (2024-03-12)
• Updated input 'nixpkgs':
    'github:nixos/nixpkgs/3030f185ba6a4bf4f18b87f345f104e6a6961f34' (2024-03-09)
  → 'github:nixos/nixpkgs/0ad13a6833440b8e238947e47bea7f11071dc2b2' (2024-03-12)
• Updated input 'rust-overlay':
    'github:oxalica/rust-overlay/73aca260afe5d41d3ebce932c8d896399c9d5174' (2024-03-11)
  → 'github:oxalica/rust-overlay/a30facbf72f29e5c930f394f637559f46a855e8b' (2024-03-13)
• Updated input 'sops':
    'github:Mic92/sops-nix/f8d5c8baa83fe620a28c0db633be9db3e34474b4' (2024-03-10)
  → 'github:Mic92/sops-nix/e52d8117b330f690382f1d16d81ae43daeb4b880' (2024-03-11)

Justfile

@@ -22,4 +22,8 @@ fmt:
     nix fmt
 
 deploy host:
-    nix run ".#apps.nixinate.{{host}}"
+    colmena apply --on {{host}}
+
+[confirm]
+cold-deploy host:
+    colmena apply --on {{host}} --reboot

flake.lock

@@ -124,11 +124,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1710119954,
-        "narHash": "sha256-e7AMYtBQgRzeRtn//k1dXu22xeiav+G0cQjm3gEky7o=",
+        "lastModified": 1710169806,
+        "narHash": "sha256-HeWFrRuHpnAiPmIr26OKl2g142HuGerwoO/XtW53pcI=",
         "owner": "nix-community",
         "repo": "disko",
-        "rev": "d389901567d9ceda5a1a833fbf8e8e254e18eb0a",
+        "rev": "fe064a639319ed61cdf12b8f6eded9523abcc498",
         "type": "github"
       },
       "original": {
@@ -148,11 +148,11 @@
         "nixpkgs-stable": "nixpkgs-stable_2"
       },
       "locked": {
-        "lastModified": 1710121508,
-        "narHash": "sha256-lOfYN1BMBNarx3Nvcro6EEXq+ZSUHyhc2WJJdWACwoA=",
+        "lastModified": 1710294321,
+        "narHash": "sha256-h24aWEjBi1VqC+XsCsP7dEd8+uZP380zDZjHgMV8aa8=",
         "owner": "nix-community",
         "repo": "emacs-overlay",
-        "rev": "65f195e937a170adac199b12eab303b8488bf38b",
+        "rev": "69e03a148e6c604aed3579d81989aabccbba4d67",
         "type": "github"
       },
       "original": {
@@ -414,11 +414,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1710062421,
-        "narHash": "sha256-FiCNRfyUgJOLYIokLiFsfI7B+Zn9HDnOzFR3uVr5qsQ=",
+        "lastModified": 1710281778,
+        "narHash": "sha256-bvWr9vvBrAxb44kHM3H3cY/uQg+4pYP1BM/Nu3e/7V8=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "36f873dfc8e2b6b89936ff3e2b74803d50447e0a",
+        "rev": "49a266d2ca59df8a03249550e73a54626181b65d",
         "type": "github"
       },
       "original": {
@@ -586,11 +586,11 @@
     },
     "nixpkgs-stable_2": {
       "locked": {
-        "lastModified": 1710021367,
-        "narHash": "sha256-FuMVdWqXMT38u1lcySYyv93A7B8wU0EGzUr4t4jQu8g=",
+        "lastModified": 1710162809,
+        "narHash": "sha256-i2R2bcnQp+85de67yjgZVvJhd6rRnJbSYNpGmB6Leb8=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "b94a96839afcc56de3551aa7472b8d9a3e77e05d",
+        "rev": "ddcd7598b2184008c97e6c9c6a21c5f37590b8d2",
         "type": "github"
       },
       "original": {
@@ -634,11 +634,11 @@
     },
     "nixpkgs_2": {
       "locked": {
-        "lastModified": 1709961763,
-        "narHash": "sha256-6H95HGJHhEZtyYA3rIQpvamMKAGoa8Yh2rFV29QnuGw=",
+        "lastModified": 1710272261,
+        "narHash": "sha256-g0bDwXFmTE7uGDOs9HcJsfLFhH7fOsASbAuOzDC+fhQ=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "3030f185ba6a4bf4f18b87f345f104e6a6961f34",
+        "rev": "0ad13a6833440b8e238947e47bea7f11071dc2b2",
         "type": "github"
       },
       "original": {
@@ -762,11 +762,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1710123130,
-        "narHash": "sha256-EoGL/WSM1M2L099Q91mPKO/FRV2iu2ZLOEp3y5sLfiE=",
+        "lastModified": 1710295923,
+        "narHash": "sha256-B7wIarZOh5nNnj4GTOOYcxAwVGTO8y0dRSOzd6PtYE8=",
         "owner": "oxalica",
         "repo": "rust-overlay",
-        "rev": "73aca260afe5d41d3ebce932c8d896399c9d5174",
+        "rev": "a30facbf72f29e5c930f394f637559f46a855e8b",
         "type": "github"
       },
       "original": {
@@ -783,11 +783,11 @@
         "nixpkgs-stable": "nixpkgs-stable_4"
       },
       "locked": {
-        "lastModified": 1710039806,
-        "narHash": "sha256-vC2fo/phnetp6ub/nRv6mgAi5LbhJ6ujGQWrRD2VgNs=",
+        "lastModified": 1710195194,
+        "narHash": "sha256-KFxCJp0T6TJOz1IOKlpRdpsCr9xsvlVuWY/VCiAFnTE=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "f8d5c8baa83fe620a28c0db633be9db3e34474b4",
+        "rev": "e52d8117b330f690382f1d16d81ae43daeb4b880",
         "type": "github"
       },
       "original": {

home-manager/modules/emacs/config.org

@@ -1734,14 +1734,12 @@ Register =nushell= LSP with eglot
                  '(nushell-ts-mode . ("nu" "--lsp"))))
 #+end_src
 
-*** hare
+*** Lua
 
-[[https://git.sr.ht/~bbuccianti/hare-mode][hare-mode]] for [[https://harelang.org][hare]] support.
+[[https://github.com/immerr/lua-mode][lua-mode]] for Lua support.
 
 #+begin_src emacs-lisp
-  (use-package hare-mode
-    :ensure nil ;; It's installed outside emacs
-    )
+  (use-package lua-mode)
 #+end_src
 
 * Org

home-manager/modules/emacs/default.nix

@@ -16,28 +16,6 @@ let
       cp ${initFile} $out
     '';
 
-  tree-sitter-hare = pkgs.tree-sitter.buildGrammar {
-    language = "tree-sitter-hare";
-    version = "unstable-2023-12-31";
-    src = pkgs.fetchFromSourcehut {
-      owner = "~ecs";
-      repo = "tree-sitter-hare";
-      rev = "9408bb8fd6c110307f7c92fa834eb5dbd92e36d8";
-      sha256 = "iqaj+7Ax5zfXGXsJw5pesTlTeah2X4Li4LpInDSUTcU=";
-    };
-  };
-
-  hare-mode = pkgs.emacsPackages.trivialBuild {
-    pname = "hare-mode";
-    version = "unstable-2022-04-27";
-    src = pkgs.fetchFromSourcehut {
-      owner = "~bbuccianti";
-      repo = "hare-mode";
-      rev = "bb7b2faccb5939b0c8d4ffa6a6e28a0d2bc93dd6";
-      sha256 = "SOnsNDWKL077AgTdpd9zZPhiyv8d/snllzTy53qlco8=";
-    };
-  };
-
   tree-sitter-qml = pkgs.tree-sitter.buildGrammar {
     language = "tree-sitter-qmljs";
     version = "unstable-2024-02-02";
@@ -62,7 +40,6 @@ let
     alwaysTangle = true;
     extraEmacsPackages =
       epkgs: with epkgs; [
-        hare-mode
         vterm
         (treesit-grammars.with-grammars (
           p: with p; [
@@ -90,7 +67,6 @@ let
             tree-sitter-gomod
             tree-sitter-gowork
             tree-sitter-graphql
-            tree-sitter-hare
             tree-sitter-haskell
             tree-sitter-hcl
             tree-sitter-heex

machines/gitea/caddy.nix

@@ -0,0 +1,48 @@
+# { caddy-with-plugins, ... }:
+{
+  pkgs,
+  config,
+  inputs,
+  ...
+}:
+{
+  services.caddy = {
+    enable = true;
+    package = inputs.caddy-with-plugins.lib.caddyWithPackages {
+      inherit (pkgs) caddy buildGoModule;
+      plugins = [ "github.com/caddy-dns/cloudflare@2fa0c8ac916ab13ee14c836e59fec9d85857e429" ];
+      vendorHash = "sha256-9ogaUKtczQ3U/BFdum+tD9kWJ9CH3amR4z2ozE324bY=";
+    };
+
+    email = "erwin@datarift.nl";
+
+    virtualHosts = {
+      "git.datarift.nl" = {
+        extraConfig = ''
+          @local {
+            remote_ip 10.0.0.0/24
+          }
+
+          handle @local {
+            reverse_proxy 127.0.0.1:3000
+          }
+
+          handle {
+            error "Nope." 403
+          }
+
+          tls {
+            dns cloudflare {env.CF_API_TOKEN}
+          }
+        '';
+      };
+    };
+  };
+
+  networking.firewall.allowedTCPPorts = [
+    80
+    443
+  ];
+
+  systemd.services.caddy.serviceConfig.EnvironmentFile = [ config.sops.secrets.caddy-env.path ];
+}

machines/gitea/configuration.nix

@@ -7,8 +7,8 @@
     ../../users/root
     ../../users/erwin
     ./backup.nix
-
     ./forgejo
+    ./caddy.nix
   ];
 
   eboskma = {
@@ -83,6 +83,7 @@
     };
     gitea_backup_ssh_key = { };
     gitea_backup_pass = { };
+    caddy-env = { };
   };
 
   system.stateVersion = "22.05";

machines/gitea/secrets.yaml

@@ -1,6 +1,7 @@
 gitea_db_password: ENC[AES256_GCM,data:DhTDb2LuzEnkdSztIsSoICIz1qIpqNQYp2Z69NDNqPib3u/fzjnt6EyI5k9+0c2s0+AZBKPzItCm61WKquoIV80MsDgROANP2LP63j+id4KHMtIvvT7TBZelN8vaZnM422MutUzOFYB0+SA2LcSDtTHL9WKtqTnF4AjK3UpKjYk=,iv:zK65d01tXoSPYIu2JxRy2O8wURD73AqM7r+80H2nzAs=,tag:qc63u9c9/NaMT/OI5IsuLQ==,type:str]
 gitea_backup_ssh_key: ENC[AES256_GCM,data:t+Pu22ziCtpOt5cSdQB9ubfeLRYn6k++dCrMpcuF69AX3yCeZGDAabGx7FHeTFQ0xiUrXo9LxwxJrFAnguOtis67SOT0AO0f6HhrrWTo7XxvuSRRNB3Tk0i8hEXj6KPQMHcqenHLX0T1wJ1ZL/DQCaTgtXBFE5/UlLiF9vWS/OKHNZcRZlpPHWjvBsSfyI6fblmbRUlfekVZKkojA7NQLKSOv5O9oo9v82jQJKk4l+/QBrhmuSpk+AsMob3tRX3EAz/E8ZXo/Zoh1qxUPPWn+jn2PT+dfKUp4DzuJlnJAShjG5H94BcW+7p6g469my5VohpPmZTSCkp6AxDQgSGuWczpksdKRM5aDuIEYdd0DdvbdnZWORZMZamCwsfwRec/hvBbT+h8zjnWqNhsHVdtjLePUQdzXxAksUM2DKGKRyZHhCkKmsx8WqrHzxnJYJVa+e/E3xY4JQ7+zhTrp/FtuiWQitr9kohZupmmBLdBeVQpde2XXdFc7FPAHeCdT2mtE+Z2BfbHjrv4pEEnicXt,iv:iWi4uKEVlAGSNvJj11rnBcCZtp9EJlAjUwxuosOZctQ=,tag:DRPAD/ojMS6BkPtfPWKTag==,type:str]
 gitea_backup_pass: ENC[AES256_GCM,data:6UgfUOgLpCZrRNEcsrG7JKFp4isTSGcuedRnE2tDTe7sHe+8Ky+07VsEW+kUdIx8GnluajpatSeWLCeVT72pJazfz6aECblDLQPJLK9odpwmoqZKHz9wSntnofPWT0CAVYSRG1/NPoyzeIY4+Qu4u4ZmuWmRo/Wy2Sz1jhPapR8=,iv:q0+fbP8pE1uRVuEgN/nl0qV4ymNfhmKdHlZN0MU7QUw=,tag:aCD75vFgcgTkfdBHvbtetw==,type:str]
+caddy-env: ENC[AES256_GCM,data:AZ3k2mVTvfz5ZNVViKu/sN1TsnzJcZmOx4TX4RTdVppHwE0OVuD4cs762VCiePVdFwAaY8cV,iv:B9rNP7Oa8uzz/h3qFEZtbd7RnYE9mpdkbNWIYtd6Upo=,tag:5K01g8VdSQswT1OBLCspJQ==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -34,8 +35,8 @@ sops:
             bjRhdWRWN1l0WkpiQkx6OGdYanZWYzAKygot2Ef5HWuetcXNP16ZfNx7ZsIXX0Ap
             mMSyckoJWMTnuxBLGq8WZMeoHTANPL+gpVoPU1IULCqpIff5rn7z4g==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2022-10-26T18:26:01Z"
-    mac: ENC[AES256_GCM,data:byjcMu8J5cAeOoU0mAZbJL/bkX3utCXk7VuBhApz8F/6N0ekyLixUHVqBcShp7XgWs4MU3GewVaMZZNqPkEfj15PgEWxxfpsE4HiLN6eaI6Fx21X2CmllQQ5qjeRQVZwkJchrpCO4rp/Q+nFqyVYMgAr8yJm85zZ3FIvHPbErOY=,iv:RsXReft0DUnPr/huYQYZkPy/0iCeEiU3k881KqhcUiY=,tag:JqD3o2BLU8PrBYCeLtdZjg==,type:str]
+    lastmodified: "2024-03-12T15:08:35Z"
+    mac: ENC[AES256_GCM,data:gnJSCpg6du0HQ17LeM76t7DylclKBVTNCH/vupFGzBn1WCYA8rOCoWsnSkmm8cEjw76ucLBpLSbJl+KQrHIGWrZ3cf4fdRMb5HeGRdjSPoXpbVlzX9tH+4db4EeDvICtzhGRrypeCrGK1jgDY8/cXiJiASjvLwU+jpgE7foNyoU=,iv:QHGkNQStKjkE7PNrqqgEr/5rlPJ0AGExfmtPcVU2tT8=,tag:vmEoLq0ta7tG1aQ3X8o7pQ==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
-    version: 3.7.3
+    version: 3.8.1

machines/nix-cache/configuration.nix

@@ -151,7 +151,7 @@
               reverse_proxy 127.0.0.1:8080
             }
             handle {
-              error "Nope." 401
+              error "Nope." 403
             }
 
             tls {

modules/caddy-proxy/default.nix

@@ -28,7 +28,7 @@ let
         reverse_proxy ${target}
       }
       handle {
-        error "Nope." 401
+        error "Nope." 403
       }
 
       tls {

modules/keycloak/default.nix

@@ -80,7 +80,7 @@ in
             route {
                   reverse_proxy @public_or_allowed_remote ${config.services.keycloak.settings.http-host}:${toString config.services.keycloak.settings.http-port}
 
-                  error "Nope." 401
+                  error "Nope." 403
             }
           '';
         };